Upload
deborah-johnston
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Protecting the Player– Information Security Concerns
Gus Fritschie@gfritschie
March 21, 2014
© SeNet International Corp. 2014 2 March 2014
SeNet Overview
While there is the potential for attacks against the iGaming application and infrastructure, it is easier to attack the consumer.
Why spend days trying to exploit a SQL Injection vulnerability when all you need to do is have a player click a link.
The focus of this talk is on protecting the player.
© SeNet International Corp. 2014 3 March 2014
SeNet Houston, We Have a Problem
© SeNet International Corp. 2014 4 March 2014
SeNet Barcelona Laptop Incident
http://pokerfuse.com/news/live-and-online/confirmed-ept-barcelona-laptop-infected-with-screen-sharing-trojan-11-12/
© SeNet International Corp. 2014 5 March 2014
SeNet Las Vegas Sands Hacked
© SeNet International Corp. 2014 6 March 2014
SeNet What Can Sites Do?
There are many steps that sites can take to help protect their players, here are some:
• Security Awareness • User security controls (i.e.
password policy, multi-factor authentication, account lockout)
• Site security controls (i.e. SSL, secure coding, secure configuration)
• Continuous Monitoring
© SeNet International Corp. 2014 7 March 2014
SeNet Security Awareness
• Operators need to do more to raise security awareness among their customers.
• This could take the form of logon messages, emails, or other forms of communication.
• Last year Poker Stars released a guide on protecting your laptop that was distributed at an EPT event in the wake of the Barcelona hotel incident.
• Learn a lesson from Facebook.
© SeNet International Corp. 2014 8 March 2014
SeNet User Controls
• Password complexity requirements
• Session timeout
• Account Lockout
• Multiple Sessions
• Dual-factor authentication
• IP/MAC Restrictions
• Logon Notification
© SeNet International Corp. 2014 9 March 2014
SeNet Site Controls
• Security Code Reviews
• 3rd Party and Internal Security Reviews
• Secure architecture design and implementation
• Configuration Management
• Encryption (data-in-transit and data-at-rest)
© SeNet International Corp. 2014 10 March 2014
SeNet Continuous Monitoring
• Collusion/bot detection
• Abnormal activity/win rates
• Account Activities
• Logging/SIEM
• Important to monitor not only technical controls, but management and operational controls too
© SeNet International Corp. 2014 11 March 2014
SeNet Examples
© SeNet International Corp. 2014 12 March 2014
SeNet Security Configuration Issues
© SeNet International Corp. 2014 13 March 2014
SeNet Authentication Weaknesses
http://www.onlinepokerreport.com/9529/authentication-comparison-two-nj-igaming-sites/
© SeNet International Corp. 2014 14 March 2014
SeNetBackend Password and Username
Exposed in Request
© SeNet International Corp. 2014 15 March 2014
SeNetPassword Stored in Clear-text in
Database
Using the forgot password function the password is sent via email and is the same password as initially set. This indicates passwords are stored in clear-text.
© SeNet International Corp. 2014 16 March 2014
SeNet Weak Password Policy